News

Phishing Infographic – Phishing by Numbers

Phishing by Numbers

The manipulation of human behaviour for criminal intent is nothing new. Age old scams which tricked people into handing over their hard earned cash have been going since humans came down for the trees. The modern equivalent of these old scams is phishing. Phishing is now considered to be the number one most successful technique used by cybercriminals. Variants on the theme of social engineering and trickery, have created a phishing toolset that can be used by cybercriminals to steal login credentials, exfiltrate personal data, and install ransomware. Phishing comes in many forms, from emails containing malicious attachments or with links to spoof websites, to malicious texts, and spoof phone calls. Such a successful method is likely to continue being the weapon of choice of the cybercriminal unless we can put measures in place to prevent it.

Type of Phishing

There are a variety of phishing types. Each has the ultimate goals of either ensuring that malware is installed on the recipient’s device, or that they click on a link that takes them to a spoof website, where either they download malware or enter sensitive data, such as login credentials. The following show the most common types of phishing to date.

Phishing

In March 2016, 93% of phishing emails were being used to infect victims with ransomware (1)

Numbers of organizations reporting they had a phishing attack in 2015 = 85%. Up from 72% in 2014 (2)

Phishing emails containing JavaScript applications and Microsoft Office Macros were the most common methods of infecting users (1).

In a new twist on the old hijacking of email contact lists, a phishing scam based on facebook has emerged this year. Users were sent fake facebook messages informing them a friend had mentioned them in a comment. This message contained a Trojan which installed a Chrome browser extension. The Chrome extension handled a Facebook account takeover, allowing manipulation of privacy settings and data theft (3).

The IRS has seen a 400% increase in phishing of IRS clients during the 2016 tax season (4)

Source:

PhishMe, Q1 2016 Malware Review: Read More

Wombat Security, State of the Phish 2016:Read More

Telegraph, Facebook fake friend phishing attack, July 2016:Read More

IRS:Read More

Spear Phishing

Spear phishing is a type of phishing email that is specifically targeted towards a known person. Usually it will have their name in the email body and will have enough specific personal information to look very convincing. Spear phishing has been used very successfully in a number of high profile attacks including the Target Corp breach of 2014. Often this type of phishing will be used to steal login credentials to secure resources such as servers.

67% of organizations reported a spear phishing attack (1)

Size of organization does not guarantee immunity from spear phishing. Organizations of all sizes are being attacked. However, smaller sized businesses (under 250 employees) are seeing a larger increase in spear phishing attempts over the last 3 years. Whereas larger (greater than 2500 employees) businesses have about the same numbers of attacks over the last 3 years.

Spear phishing by company size (2):

Large

Medium

Small

2013

39

31

35

2014

41

25

22

2015

35

22

43

There was a large spear phishing campaign targeting Amazon customers this year. The emails contained Microsoft Word Macros infected with the Locky encryption ransomware. Up to 30 million customers were targeted. What it made it a spear phishing campaign, rather than a general one was that the attackers could manipulate the header and so make the email appear more genuine (3).

Sources:

Wombat Security, State of the Phish 2016

Symantec, Attackers Target Both Large and Small Businesses:Read More

Kaspersky Labs, Threat Post:Read More

Whaling or Business Email Compromise (BEC)

This is a variant of a spear phishing email which is targeted at employees of a corporation, tricking them into thinking the email originates from their CEO or similar C-level executive. This type of phishing requires much more upfront research by the phisher and the resultant email is very convincing.

BEC (Whaling) statistics

In Q4 2015 55% of businesses saw an increase in this type of scam (1)

January 2015 – June 2016:

Losses amount to: almost $1.3 billion (actual $3,086,250,090)

Number of countries involved: 100

Number of U.S. States involved: 50

Number of countries that stolen monies go to: 79, but concentrated in Southeast Asia (2)

37% of companies surveyed had been victim of a targeted phishing scam where the email had purported to be from their CEO (3)

This year, SnapChat was victim to a payroll targeted BEC resulting in the personal details and payroll information of an undisclosed number of employees being disclosed. The email looked like it came for the SnapChat CEO, Evan Spiegel (4).

In similar CEO faked phishing attacks, 55 companies in 2015 fell for a W-2 U.S. tax records scam. In this scam, the company’s details were found using sites like LinkedIn. They used emails that looked like they had originated from the CEO to trick company accounts into releasing W-2 tax record data on its employees. This was then used to make false tax claims (5).

Source:

Minecast, Changes in Whaling and Fraud Email Tactics:Read More

FBI, Business E-Mail Compromise: The 3.1 Billion Dollar Scam:Read More

Alien Vault, Clicking With The Enemy:Read More

CNET, Snapchat employee falls for email phishing scam:Read More

Cloudmark Security Blog:Read More

SMiShing

SmiShing is a variant of phishing that uses mobile texts, instead of emails to trick users into releasing details such as login credentials. An example was a recent WhatsApp based Smishing scam. Users would receive a normal SMS text on their phone alerting them to some a need to pay a fee to keep using WhatsApp. The SmiSh tricked users into clicking on a link which took them to a spook WhatsApp site where they were asked for credit card details.

55% of organizations reported a SMiShing attack (1)

Source:

Wombat Security, State of the Phish 2016

Vishing

Vishing involves the use of a phone call to extract personal data from a user which is then used to commit fraudulent acts. There are many vishing scams involving banks and other financial institutions. One of the largest to date is the IRS vishing scam (1). In March 2016 there was a 10X increase in the numbers of vishing attempts with around 450,000 victims (2).

Sources:

IRS:Read More

Pindrop Blog:Read More

Number of phishing attacks across global market (1)

Date

Numbers

%Increase over previous quarter

Q2 2015

126,797

Q3 2015

130,946

3.3

Q4 2015

144,694

10.5

Q1 2016

240,520

66.2

Q1 2016

516,702

114.8

Source:

RSA, Fraud Action Quarterly, Q2 2016 Threat Report:Read More

Alternative Numbers from Anti-Phishing Working Group (APWG)

Unique Phishing Websites for 6 months to April 2016

Date

Numbers

% Increase over previous quarter

Oct 15

48,114

Nov 15

44,575

-7.3

Dec 15

65,885

47.8

Jan 16

86,557

31.4

Feb 16

79,259

-8.4

Mar 16

123,555

55.9

Source:

APWG, Phishing Activity Trends Reports from Q4 2015 and Q1 2016:

APWG Trends Report Q4 2015 (PDF):Read More

APWG Trends Report Q1 2016 (PDF): Read More

Number of unique reported email campaigns

Date

Numbers

% Increase over previous quarter

Oct 15

194,499

Nov 15

105,233

-45.9

Dec 15

80,548

-23.5

Jan 16

99,384

23.4

Feb 16

229,315

130.7

Mar 16

229,265

Source:

APWG, Phishing Activity Trends Reports from Q4 2015 and Q2 2016:

APWG Trends Report Q4 2015 (PDF):

APWG Trends Report Q4 2015 (PDF):Read More

APWG Trends Report Q2 2016 (PDF): Read More

Click rate

2014 – 23% opened a phishing email; 11% clicked on malicious link or opened attachment (i.e. completed the phish) (1)

2015 – 30% opened a phishing email; 13% clicked on malicious link or opened attachment (i.e. completed the phish) (1)